[Privoxy-devel] WolfSSL support ready for testing

Ian Silvester iansilvester at fastmail.fm
Sat Mar 16 15:19:05 CET 2024 

Thanks for the update Fabian,

I've a couple of other projects to complete first, but will put this on my to do list. Are there any particular use cases that would 'stress test' WolfSSL? As you know, I haven't run macOS as my daily driver for many years so, assuming I can get a stable compile, I'd need to have an idea of what testing would be useful to try out.

Cheers,

Ian

On Sat, 9 Mar 2024, at 07:27, Fabian Keil wrote:
> User Git <git at git.privoxy.org> wrote on 2024-03-09 at 12:10:21:
>
>> git pushed a commit to branch master
>> in repository privoxy.
>> 
>> commit eee84548c26f5d5efcb19a3a2c3c949a01de45c2
>> Author: Fabian Keil <fk at fabiankeil.de>
>> AuthorDate: Tue Jan 12 08:12:38 2021 +0100
>> 
>>     Allow to use wolfSSL for https inspection
>>     
>>     It's licensed under GPlv2 or later and unlike mbedTLS
>>     there don't seem to be plans to change the license.
>>     
>>     As a bonus, wolfSSL supports TLS 1.3 and can be significantly
>>     faster than mbedTLS. Mainly tested on ElectroBSD amd64 where
>>     it can compete with OpenSSL and LibreSSL:
>>     https://www.fabiankeil.de/gehacktes/privoxy-tls-benchmarks/
>>     
>>     To enable the support, install wolfSSL and run ./configure
>>     with the --with-wolfssl option.
>>     
>>     Privoxy users and packagers that currently build Privoxy
>>     binaries with mbedTLS may want to consider using wolfSSL
>>     in the future once it has been properly tested.
>>     
>>     Sponsored by: Privoxy project funds collected at SPI
>
> As you can see above I finally pushed the WolfSSL [0] support
> to the master branch.
>
> One issue I noticed while testing is that some websites
> including ours [1] can't be loaded anymore on my ElectroBSD
> system using the current WolfSSL 5.6.3:
>
> 12:17:20.862 048 Error: X509 certificate verification for 
> www.privoxy.org failed with error -313: received alert fatal error
>
> This used to work in 2021 when I wrote the code and
> I'm optimistic that this issue can be resolved by
> compiling WolfSSL differently.
>
> At the moment I'm configuring WolfSSL like this:
>
> CONFIGURE_ARGS=	--disable-dependency-tracking \
> 		--enable-certgen \
> 		--enable-des3 \
> 		--disable-des3-ciphers \
> 		--enable-dh \
> 		--enable-dsa \
> 		--enable-dtls \
> 		--enable-ecc \
> 		--enable-fastmath \
> 		--enable-fasthugemath \
> 		--enable-ipv6 \
> 		--enable-keygen \
> 		--enable-opensslall \
> 		--enable-opensslextra \
> 		--enable-renegotiation-indication \
> 		--enable-ripemd \
> 		--enable-sessioncerts \
> 		--enable-session-ticket \
> 		--enable-sp \
> 		--enable-sp-asm \
> 		--enable-sp-math-all \
> 		--enable-sha512 \
> 		--enable-shared \
> 		--enable-sni \
> 		--enable-ssh \
> 		--enable-static \
> 		--enable-tls13 \
> 		--enable-tls13-draft18
>
> I'll look into this.
>
> In the meantime I'd be interested to know how WolfSSL
> works on other platforms.
>
> I've compiled WolfSSL with a patch [2] to prevent a bad rating at [3].
>
> Fabian
>
> [0] <https://www.wolfssl.com/>
> [1] <https://www.privoxy.org/>
> [2] <https://github.com/wolfSSL/wolfssl/pull/7315>
> [3] <https://www.howsmyssl.com/>
>
> _______________________________________________
> Privoxy-devel mailing list
> Privoxy-devel at lists.privoxy.org
> https://lists.privoxy.org/mailman/listinfo/privoxy-devel

More information about the Privoxy-devel mailing list